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Abstract 

The classical technique for proving termination of a generic sequential com- 
puter program involves the synthesis of a ranking function for each loop of the 
program. Linear ranking functions are particularly interesting because many 
terminating loops admit one and algorithms exist to automatically synthesize it. 
In this paper we present two such algorithms: one based on work dated 1991 by 
Sohn and Van Gelder; the other, due to Podelski and Rybalchenko, dated 2004. 
Remarkably, while the two algorithms will synthesize a linear ranking function 
under exactly the same set of conditions, the former is mostly unknown to the 
community of termination analysis and its general applicability has never been 
put forward before the present paper. In this paper we thoroughly justify both 
algorithms, we prove their correctness, we compare their worst-case complexity 
and experimentally evaluate their efficiency, and we present an open-source im- 
plementation of them that will make it very easy to include termination-analysis 
capabilities in automatic program verifiers. 

Keywords: Static analysis, computer-aided verification, termination analysis. 



1. Introduction 

Termination analysis of computer programs (a term that here we interpret 
in its broadest sense) consists in attempting to determine whether execution 
of a given program will definitely terminate for a class of its possible inputs. 
The ability to anticipate the termination behavior of programs (or fragments 
thereof) is essential to turn assertions of partial correctness (if the program 
reaches a certain control point, then its state satisfies some requirements) into 
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assertions of total correctness (the program will reach that point and its state 
will satisfy those requirements). It is worth observing that the property of 
termination of a program fragment is not less important than, say, properties 
concerning the absence of run-time errors. For instance, critical reactive systems 
(such as fly-by-wire avionics systems) must maintain a continuous interaction 
with the environment: failure to terminate of some program components can 
stop the interaction the same way as if an unexpected, unrecoverable run-time 
error occurred. 

Developing termination proofs by hand is, as any other program verification 
task, tedious, error-prone and, to keep it short, virtually impossible to conduct 
reliably on programs longer than a few dozens of lines. For this reason, auto- 
mated termination analysis has been a hot research topic for more than two 
decades. Of course, due to well-known limitative results of computation theory, 
any automatic termination analysis can only be expected to give the correct an- 
swer ( "the program does — or does not — terminate on these inputs" ) for some 
of the analyzed programs and inputs: for the other programs and inputs the 
analysis will be inconclusive ("don't know"). It is worth noticing that there is 
no need to resort to the halting problem to see how hard proving termination 
can be. A classical example is the 3a; -I- 1 problem^ whose termination for any 
n has been a conjecture for more than 70 years: 

v^rhile n > 1 do 

if {n mod 2) ^ then n := 3n + 1 
else n :— n div 2 

The classical technique for proving termination of a generic sequential com- 
puter program consists in selecting, for each loop w of the program: 

1. a set Sw that is well-founded with respect to a relation Rw C Sw x Sw] 
namely, for each U ^ Sw such that U ^ 0, there exists v £ U such that 
{u, v) ^ Rw for each u £ U; 

2. a function /„, from the set of program states that are relevant for w (e.g., 
those concerning the head of the loop and that are reachable from a des- 
ignated set of initial states) to the set S^, such that the values of 
computed at any two subsequent iterations of w are in relation R^ . 

The function is called ranking function, since it ranks program states ac- 
cording to their "proximity" to the final states. Let us focus on deterministic 
programs, and consider a loop w and a set of initial states Ej„ for w. Assume 
further that the body of w always terminates when w is initiated in a state 
(T G EJ„ and that T,^ is a set of final states for w, that is, w immediately ter- 
minates when it is initiated in a state a £ E^. If we fix any enumeration of 
— {"'o J o'l I • ■ -ji then the computations of w we are interested in can be 



^Also known as the CoUatz problem, the Syracuse problem, Kakutani's problem, Hasse's 
algorithm, and Ulam's problem: see, e.g., 
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represented by the (possibly infinite) 



sequence of (possibly infinite) sequences 



Let Ei(, be the set of all states that occur in ([T]). Suppose that we succeed 
in finding a ranking function Z^, : Eu, — > , where is well-founded with 
respect to and, for each m, n e N, if (t"j and crj^"*'^ occur in ([T]), then 
(/^((T^+^), /tu((T,"J) e _Rtu. In this case we know that all the sequences in ([1]), 
and hence all the computations they represent, are finite. 

Example 1.1. Consider the following loop, where x takes values in Z: 

while X ^ Q do 

X :— X — 1 



Here the state at the loop head can be 
ber: the value of x. If we take Y} :- 
interest are 
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simply characterized by an integer num- 
= N then the computation sequences of 



n n — 1 ... 



We thus have E = N and = {0}. If we define 5 N, / as the identity 
function over N, and i? := { (ft., fc) | ft,, fc G N, /i < fc }, then S is well founded 
with respect to R and / is a ranking function (with respect to E, S and R). 

Observe that, in the example above, taking R as the predecessor relation, i.e., 
i? := { (ft-, fc) I ft, fc G N, ft = fc — 1 }, would have worked too; or / could have 
been defined as the function mapping ft to 2ft, in which case S could have been 
left as before or defined as the set of even nonnegative integers. ... In general, 
if a ranking function exists, an infinite number of them do exist. The next 
example shows that freedom in the choice of the well-founded ordering can be 
used to obtain simpler ranking functions. 

Example 1.2. Consider the following program, where variables take values 
in N and comments in braces describe the behavior of deterministic program 
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fragments that are guaranteed to terminate and whose details are unimportant: 

var a : array [1 .. n] of unsigned integer; 

{ all elements of a are written } 
while a[l] > do 

{ i takes a value between 1 and n such that a[i] ^ } 

a[i] :— a[i] — 1 

{ positions i + l,i + 2, ...,nofa are possibly modified } 

Here we can take = S = N" and T.^ = {0} x W'-^. If we define S := N", / 
as the identity function over N", and R C N" x as the lexicographic ordering 
over N", then / is a ranking function with respect to E, S and R. Finding a 
ranking function having N as codomain would have been much more difficult 
and could not be done without a complete knowledge of the program fragments 
we have summarized with the comments between braces. 

We have seen that, if there exists a ranking function, then all computations 
summarized by ^ terminate. What is interesting is that the argument works 
also the other way around: if all the computations summarized by ([T]) do ter- 
minate, then there exists a ranking function (actually, there exists an infinite 
number of them). In fact, suppose all the sequences in ([T]) are finite. Since the 
program is deterministic, any state occurs only once in every sequence. More- 
over, if a state a occurs in more than one sequence, then the suffixes of these 
sequences that immediately follow a are all identical (since the future of any 
computation is completely determined by its current state). The function map- 
ping each a in E^, to the natural number representing the length of such suffixes 
is thus well defined and is a ranking function with respect to E^, and N with 
the well-founded ordering given by the '<' relation. 

It is worth observing that the above argument implies that if any ranking 
function exists, then there exists a ranking function over (N, <). This observa- 
tion can be generalized to programs having bounded nondeterminism : there- 
fore, ranking functions on the naturals are sufficient, for instance, when mod- 
eling the input of values for commonly available built-in data types. However, 
as illustrated by Example II. 2[ the use of more general well-founded orderings 
can simplify the search for a ranking function. Moreover, such ageneralization 
is mandatory when dealing with unbounded nondeterminism [J (see also 
Section 10]). 

The termination of a set of computations and the existence of a ranking 
fimction for such a set are thus completely equivalent. On the one hand, this 
means that trying to prove that a ranking function exists is, at least in principle, 
not less powerful than any other method we may use to prove termination. 
On the other hand, undecidability of the termination problem implies that the 
existence of a ranking function is also undecidable. An obvious way to prove 
the existence of a ranking function is to synthesize one from the program text 
and a description of the initial states: because of undecidability, there exists no 
algorithm that can do that in general. 
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The use of ranking functions as a tool to reason about termination can be 
traced back to the seminal work of R. W. Floyd in Q , where they are introduced 
under the name of W -functions. Since then, several variations of the method 
have been proposed so as to extend its applicability from the realm of classical 
sequential programs to more general constructs (e.g., concurrency). In particu- 
lar, in seven different 'a la Floyd^ induction principles for nondeterministic 
transition systems are formally shown to be sound, semantically complete and 
equivalent. For instance, it is shown that it is sufficient to consider a single, 
global ranking function, instead of a different ranking function for each pro- 
gram control point, as originally proposed in 4]; and that the decrease of such 
a global ranking function need not be verified at all program control points, but 
it is enough to consider a minimal set of loop cut-points; moreover, when trying 
to prove properties that only depend on the current state of the system (e.g., 
termination of a deterministic program), it is always possible to find a ranking 
function depending on the current state only, i.e., independent of the initial 
state of the system. Note that these results have been implicitly exploited in 
the examples above so as to simplify the presentation of the method. 

In this paper we present, in very general terms so as to encompass any pro- 
gramming paradigm, the approach to termination analysis based on the explicit 
search of ranking functions. We then restrict attention to linear ranking func- 
tions obtained from linear approximations of the program's semantics. For this 
restriction, we present and fully justify two methods to prove the existence of lin- 
ear ranking functions: one, based on work dated 1991 by Sohn and Van Gelder, 
that is almost unknown outside the field of logic programming even though, as 
we demonstrate in the present paper, it is completely general; the other, due 
to Podelski and Rybalchenko, dated 2004, was proved correct by the authors 
but the reasons why it works were never presented. We then provide a proof of 
equivalence of the two methods, thus providing an independent assessment of 
their correctness and relative completeness. We also compare their theoretical 
complexity and practical efficiency on three related problems: 

1. proving that one linear ranking function exists; 

2. exhibiting one such function; 

3. computing the space of all linear ranking functions. 

The experimental evaluation is based on the implementation of the two meth- 
ods provided by the Parma Polyhedra Library [5], a free software library of 
numerical abstraction targeted at software/hardware analysis and verification. 
These implementations are, to the best of our knowledge, the first ones that are 
being made available, in source form, to the community. For this reason, the 
implementations should be regarded as complementary to the present paper in 
the common aim of making the automatic synthesis of linear ranking functions 
known outside programming language barriers, understandable and accessible. 

The plan of the paper is as follows: Section [2] recalls preliminary notions 
and introduces the notation used throughout the paper; Section [3] introduces 
the problem of automatic termination analysis of individual loops and its solu- 
tion technique based on the synthesis of ranking functions; Section |4] presents 
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a simple generalization of the approach of [6| that is generally applicable to 
termination analysis of any language; Section [5] shows and fully justifies the 
approach of [7]; Section [5] proves the two methods are equivalent and compares 
them from the point of view of computational complexity; Section[7]presents the 
implementation of the two approaches offered by the Parma Polyhedra Library 
and the corresponding experimental evaluation, providing a comparison of their 
practical efficiency; Section [8] concludes. 

2. Preliminaries 

2.1. Set Theory 

The set of all finite sequences of elements of S is denoted by S* . The empty 
sequence is denoted by e and the length of a sequence w is denoted by \w\. 

The set of non-negative integers, rationals and reals are denoted by N, (Q)+ 
and R+, respectively. 

2.2. Linear Algebra 

For each i G {1, . . . ,n}, Vi denotes the i-ih. component of the real (column) 
vector V — (wi,...,w„) G M". A vector v G M" can also be interpreted as 
a matrix in R"^^ and manipulated accordingly with the usual definitions for 
addition, multiplication (both by a scalar and by another matrix) , and transpo- 
sition, which is denoted by v"^, so that . . . , w„) = {vi, . . . , VnY ■ If f e M" 
and w G K™, we will write {v,w) to denote the column vector in R"+™ ob- 
tained by "concatenating" v and w, so that {v, w) — {vi, . . . , v„, wi, . . . , Wm). 
The scalar product oi v.,w G M" is the real number v^w = X)r=i^«^»- '^^^ 
identity matrix in R"^" is denoted by J„. We write to denote a matrix in 
l^nxm ]^a,ving all of its components equal to zero; the dimensions n and m will 
be clear from context. We sometimes treat scalars as vectors in R^ or matrices 
in Ri'^i. 

For any relational operator cxi G {<,<,=,>,>}, we write v t<i w to de- 
note the conjunctive proposition A"=i(''^i ^ ^i)- Moreover, v ^ w will denote 
the proposition -'(v — w). We will sometimes use the convenient notation 
a ixii b ix]2 c to denote the conjunction a Mi 6 A 6 IXI2 c and we will not distin- 
guish conjunctions of propositions from sets of propositions. The same notation 
applies to vectors defined over other numeric fields and, for the supported op- 
erations, to vectors defined over numeric sets such as N and Q_|-. 

2.3. First- Order Logic 

A triple S — {S,F,R) is a signature if S* is a set of sort symbols, F := 
(-F«,,s)u)es*,seS is a family of sets of function symbols and R :— {Rw)weS* is 
a family of sets of relation symbols (or predicate symbols). If Fg-^...s^ s 9 / we 
use the standard notation for functions and write F 3 f : si x ■ ■ ■ x Sn ^ s. 
Similarly, if i?sj...s^ 9 p we use the standard notation for relations and write 
R 3 p C si X • • • X s„. A ^.-structure A — {S-^, F-^, i?^) consists of: a set S-^ 
containing one arbitrary set s-^ for each sort symbol s G S*; a family F-^ of sets of 
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functions such that, for each / : si x • • • x s„ — s, a function /"^ : x • ■ • x s;f — 
s-^ belongs to F-^ ; a family R-^ of sets of relations defined similarly. 

Let X be a denumerable set of variable symbols. The set of (S, X)-terms (or, 
briefly, terms) is inductively defined as usual: elements of X are terms and, for 
each / G Fyj^a with \w\ = k, ii ti, . . . , tk are terms, then /(ti, . . . , tfe) is a term. 
If p € with 1^1 = k and ii, . . . , tk are terms, then . . . , ifc) is an atomic 
{T,, X)- formula. (Tt, X) -formulas are built as usual from atomic formulas and 
logical connectives and quantifiers. The first-order language £.{'E,X) is the set 
of all (S, X) -formulas. The notion of bound and free variable occurrence in a 
formula are also defined in the standard way. We will routinely confuse a tuple 
of variables with the set of its components. So, if ^ is a (E, X)-formula, we will 
write (j)[x] to denote (j) itself, yet emphasizing that the set of free variables in (j) 
is included in x. Let x,y G X* be of the same length and let ^ be a (E,X)- 
formula: then (j)[y/x] denotes the formula obtained by simultaneous renaming 
of each free occurrence in of a variable in x with the corresponding variable 
in y, possibly renaming bound variable occurrences as needed to avoid variable 
capture. Notice that (j)[x] implies ((^[y/x]) [y], for each admissible y € X* . 

A formula with no free variable occurrences is termed closed or called a 
sentence. The universal closure of a formula (p is denoted by V(</)). If (/) is a 
closed (S, X)-formula and ^ is a S-structure, we write A \= (j) ii (j) is satisfied 
when interpreting each symbol in E as the corresponding object in A. A set T 
of closed (E, X)-formulas is called a {T,, X) -theory. We write A \= T ii A \= (j) 
for each (j) £ T. If </> is a closed (E, X)-formula and T is a (E, X)-theory, we 
write T (j) ii, for each E-structure A, A \= T implies A\^ (j). In this case we 
say that is a logical consequence of T. 

3. Termination Analysis of Individual Loops 

We will start by restricting our attention to individual loops of the form 

{ / } while B do C (2) 

where 

• / is a loop invariant that a previous analysis phase has determined to hold 
just before any evaluation of B; 

• B is a Boolean guard expressing the condition on the state upon which 
iteration continues; 

• C is a command that, in the context set by ([2]), is known to always ter- 
minate. 

Notice that, for maximum generality, we do not impose any syntactic restriction 
on /, B and C and will only observe their interaction with the program state: 
I and B express conditions on the state, and C is seen as a state transformer, 
that is, a condition constraining the program states that correspond to its initial 
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and final states. We assume that such conditions are expressed in a fragment of 
some first-order language £ = C{T,,X) that is closed under finite conjunction 
and implication (indeed a limited form of implication is often enough). We 
assume further that the meaning of the sentences in C is given by some theory 
T for which we are given a sound inference procedure denoted by 'h', that is, 
for each sentence G if T h then T \= 4>- Finally, we fix a E-structure 
V such that V \= T, which captures the domain over which computation and 
program reasoning take place. Let x be the tuple of variables containing (among 
possible others) all the free variables of ©. The effect of C within the loop 
can be captured by stipulating that x characterizes the state before execution 
of C, introducing a tuple of new variables x' that characterizes the state after 
C's execution, and by imposing restrictions on the combined tuple xx' . Our 
last assumption is that we are given formulas of £ that correctly express the 
semantics of /, B, and C: let us call these formulas (f>i, 4>b and (^Cj respectively. 
With these definitions and assumptions, the semantics of loop ^ is correctly 
approximated as follows: 

1. whenever the loop guard B is evaluated, (f>i[x] holds; 

2. if (j)i[x] A 0B[a;] is inconsistent, iteration of the loop terminates; 

3. just before execution of C, (j)i[x] A (j)B[x] holds; 

4. just after execution of C, ipiix] A 4>b[^] A ^ci^^S:'] holds. 

It is worth observing that the presence of the externally-generated invariant 
/ is not restrictive: on the one hand, (j)i[x] can simply be the "true" formula, 
when nothing better is available; on the other hand, non trivial invariants are 
usually a decisive factor for the precision of termination analysis. As observed in 
, the requirement that / must hold before any evaluation of B can be relaxed 
by allowing / not to hold finitely many times H The same kind of approximation 
can be applied to 0/, (j)B and (j)c by only requesting that they eventually hold. 

We would like to stress that, at this stage, we have not lost generality. 
While the formalization of basic iteration units in terms of while loops has an 
unmistakable imperative flavor, it is general enough to capture iteration in other 
programming paradigms. To start with, recall that a reduction system is a pair 
(i?, -^), where i? is a set and — > C i? x i?. A term-rewrite system is a reduction 
system where i? is a set of terms over some signature and '— is encoded by a 
finite set of rules in such a way that, for each term s, the set of terms t such 
that s ^ t is finitely computable from s and from the system's rules. Maximal 
reduction sequences of a term-rewrite system can be expressed by the following 
algorithm, for each starting term s: 

term := s 

while { t I term — > i } 7^ do 
choose u G { t I term —t' t}; 
term :— u 



^Such an invariant is called tail invariant in Q. 
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Here, the choose construct encodes the rewriting strategy of the system. Let 
R — {t \ s — >* t } denote the set of terms that can be obtained by any finite 
number of rewritings of the initial term s. Then, the algorithm above can 
be transformed into the form ^ by considering, as the invariant /, a property 
expressing that variable 'term' can take values in any over-approximation S ^ R 
of all the possible rewritings. Namely, 

{ term e S} 

while { t I term t} =^ do 
choose u G { t I term — > t }; 
term :~ u 

Termination of the rewritten while loop implies termination of the original one; 
the reverse implication holds ii S = R. 

The semantics of logic programs, functional programs, concurrent programs 
and so forth can be (and often are) formalized in terms of rewriting of goals and 
various kinds of expressions: hence no generality is lost by considering generic 
while loops of the form ([2]). 

The approach to termination analysis based on ranking functions requires 
that: 

1. a set O and a binary relation ^ C O x O are selected so that O is well- 
founded with respect to 

2. a term 5[y\ of C is found such that 

T^^(^{M^]AM^]f\M^^']) ^^{5[x' /v],5[x/v])), (3) 

where the interpretation of w over T) corresponds to the function 
associated to (5 in 2? is called ranking function for the loop Q . 

Termination of ^ follows by the correctness of (^/, (j)B: 4>c and 'h', and by 
well-foundedness of O with respect to To see this, suppose, towards a 

contradiction, that loop ^ does not terminate. The mentioned soundness con- 
ditions would imply the existence of an infinite sequence of elements of O 

oo y oi y 02 y ■ ■ • (4) 

Let U C O he the (nonempty) set of elements in the sequence. Since O is 
well founded with respect to there exists j € N such that, for each i € N, 
Oi 7^ Oj. But this is impossible, as, for each j G N, Oj+i -< Oj. This means that 
the infinite chain ^ cannot exist and loop ^ terminates. 

Example 3.1. Let S = {S,F,R) with S = {i}, F = F^;, U F,;, = {0}, 
= {s} and R = = {=,<}. Let also V = {{Z}, {0, s}, {ej}) be a 
E-structure where s = {[n,n + 1) | n € Z }, e = { (n, n) | n S Z} and 
/ — {{n,m) I n,m G Z,7i < to}. Let X be a denumerable set of variable 
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symbols and let T be a suitable subtheory of arithmetic restricted to £(E,X). 
Consider now the loop 

{x > 0} 

while X do 

X :— X — 1 

We have ~ (x = V < x), (f>B — ^{x — 0) and (j)c = {^{x') = x). If we 
take (O, -<) = (N,Z nN^), 6[y] = y, and w(t,w) = ((r = V < r) A t < w), we 
can substitute into ^ and obtain 

r I- Vx, x' : {{x = OVO < x)A^{x = 0) As(x') = x) {{x' = OVO < x')Ax' < x) 

which simplifies to 

r h Vx, x' : (O < a; A s(x') = x) ((x' = V < x') A x' < x) 

which a reasonable inference engine can easily check to be true. 

This general view of the ranking functions approach to termination analysis 
allows us to compare the methods in the literature on a common ground and 
focusing on what, besides mere presentation artifacts, really distinguishes them 
from one another. Real differences have to do with: 

• the choice of the well-founded ordering (O, -<); 

• the class of functions in which the method "searches" for the ranking 
functions; 

• the choice of the signature E, the domain 2? and theory T; this has to 
accommodate the programming formalism at hand, the semantic charac- 
terization upon which termination reasoning has to be based, the axiom- 
atization of (O, ^), and the representation of ranking functions; 

• the class of algorithms that the method uses to conduct such a search. 

We now briefly review these aspects. 

The most natural well-founded ordering is, of course, (N, <). This is espe- 
cially indicated when the termination arguments are based on quantities that 
can be expressed by natural numbers. This is the case, for instance, of the 
work by Sohn and Van Gelder for termination analysis of logic programs [1, Q . 
Orderings based on Q+ or can be obtained by imposing over them rela- 
tions like those defined, for each e > 0, by <e := {{h,k) G | h + e < , 
where e 6 §+ and §+ = Q+ or §+ = M+, respectively. Of course, this is 
simply a matter of convenience: a ranking function / with codomain (K+, <e) 
can always be converted into a ranking function g with codomain (N, <) by 
taking g{y) = [/(y)e^^J. Similarly, any ranking function over (R+,<c) can be 
converted into a ranking function over (M+, <i). On tuples, the lexicographic 
ordering is the most common choice for a well-founded relation: given a finite 
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number of well-founded relations for i — 1, . . . , n over a set S, the lexico- 
graphic ordering over is induced by saying that s ^ f if and only if st ti for 
an index i and Sj = tj for all indices j < i. The termination analyzer of the Mer- 
cury programming language [13: Ell first attempts an analysis using the (N, <) 
ordering; if that fails then it resorts to lexicographic orderin gs. Lexicographic 
orderings on Cartesian products of (R+, <e) are also used in [12| . 

The synthesis of ranking functions is easily seen to be a search problem. All 
techniques impose limits upon the universe of functions that is the domain of 
the search. For instance, in the logic programming community, the works in 
Tol . 11, 13, 14 1 use ranking functions of the form /(xi, . . . , Xn) = t^i^i 



where, for i = 1, . . . , n, /x^ G {Ojljand the variable Xi takes values in N. The 
method of Sohn and Van Gelder [6|,|9| is restricted to linear functions of the form 
f{xi, . . . ,Xn) = l^i^i, where, for i — 1, . . . , n, G N and the variable 

Xi takes values in N. Its generalization to Q+ was proposed in [15[ and further 
generalized by Mesnard and Serebrenik 16|, |l7| to obtain affine functions of the 
form f{xi, . . . , Xn) ~ + J27=i Mi^ii where fii G Z, and Xi take values in Q or 
R, for i = 0, . . . , n. Use of the method of Podelski and Rybalchenko was 
presented in llSl and is a component of Terminator, a termination prover of C 
systems code [l9(| . Nguyen and De Schreye f2^ proposed, in the context of logic 
programming and following a thread of work in termination of term rewrite 
systems that can be traced back to [U, to use polynomial ranking functions. 

These are of the basic form f{xi, . . . , Xn) = /^o+X]Jli Mj n"=i ^f'^ where /xq S Z 
and, for i = 1, . . .^n and j = 1, . . . , m, /Xj G Z, kij G N and the variable Xi 



takes values in Z [24]. Several further restriction are usually imposed: first a 



domain A C N is selected; then it is demanded that, for each xi, . . . ,x„ e A, 
f{xi, . . . , Xn) G A and that / is strictly monotone over A on all its arguments. 
The set of all such polynomials is itself well-founded with respect to '<yi': f <A 
g if and only if, for each xi, . . . ,Xn € A, f{xi, . . . , x„) < g{xi, . . . , The 
condition of strict monotonicity, namely, for each xi,...,Xn G A, each i = 
1, n, and each y,z £ A with y < z, f{xi, . . . ,Xi-i,y,Xi+i, . . . ,Xn) < 
f{xi, . . . , z, Xi+i, . . . , Xn), is ensured if, for each j = 1, . . . , m, we have 
Hj e N and, for each i = 0, . . . , n, there exists j such that /ij 7^ and kij ^ 0. 
Choosing A 7^ N brings some advantages. For example, ifAC{nGN|n>2} 
then multiplication of polynomials is strictly monotone on both its arguments 
(i.e., / <A f-g and g <a f-g)- Additional restrictions are often imposed in order 
to make the search of ranking functions tractable: both the maximum degree 
of polynomials and their coefficients — the /Xj's above — can be severely limited 
(an upper bound of 2 both on degrees and on coefficients is typical) . Quadratic 
ranking functions of the form f{xi, . . . , Xn) — {xi, . . . , Xn, l)'^M{xi, . . . , Xn, 1) 
are considered in [23| . where the variables Xi and the unknown coefficients fiij 
of the {n + 1) X {n + 1) symmetric matrix M take values in K. [l^l considers a 
search space of tuples of (up to a fixed number of) linear functions. 

The logic used in most papers about the synthesis of linear (or affine) rank- 
ing functions (such as [1, Fzl. |24||) is restricted to finite conjunctions of linear 
equalities or inequalities and simple implications (e.g., of a single inequality by 
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a conjunction). In [l2| this logic is extended to include disjunction, so as to 
capture precisely the effect of the loop body. 

Concerning algorithms, the restriction to conjunctions of linear equalities 
or inequalities allows the use of the simplex algorithm (or other algorithms for 
linear programming) to prove the existence of linear ranking functions in 01 
or to synthesize one of them. When a space of ranking functions is sought, these 
can be obtained by projecting the systems of constraints onto a designated set of 
variables using, for instance, Fourier-Motzkin elimination. In these approaches, 
standard algorithms from linear programming work directly on an abstraction 
of the loop to be analyzed and are able to decide the existence of linear ranking 
functions for that abstraction. The algorithms used in other approaches belong 
to the category of "generate and test" algorithms: the "generate" phase consists 
in the selection, possibly guided by suitable heuristics, of candidate functions, 
while the "test" phase amounts to prove that a candidate is indeed a ranking 
function. This is the case, for instance, of 12|, where generation consists in the 
instantiation of template functions and testing employs an algorithm based on a 
variant of Farkas' Lemma. Non-linear constraints generated by the method de- 
scribed in (23I are handled by first resorting to semidefinite programming solvers 
and then validating the obtained results by using some other tools, since these 
solvers are typically based on interior point algorithms and hence may incur into 
unsafe rounding errors. Note that, in principle, the very same observation would 
apply to the case of linear constraints, if the corresponding linear programming 
problem is solved using an interior point method or even a floating-point based 
implementation of the simplex algorithm; however, there exist implementations 
of the simplex algorithm based on exact arithmetic, so that linear programming 
problems can be numerically solved incurring no rounding errors at all and with 
a computational overhead that is often acceptable]! 

It should be noted that the fact that in this paper we only consider simple 
while loops and linear ranking functions is not as restrictive as it may seem. 
Actually, one can trade the existence of a potentially complex global ranking 
function for the whole program for the existence of elementary local ranking 
functions of some selected individual simple loops appearing in a transforma- 



tion of the whole program. General formulations of this idea are given in [18|, |2£ 
and provide a useful sufficient condition for termination. Now the question is: 
can one specify a particular class of programs and a particular class of ele- 
mentary local ranking functions such that this sufficient condition turns out to 
be a correct and complete decision procedure for termination of this class of 
programs? The Size- Change Principle proposed by [26j presents such a class 
of programs where the local ranking functions can be safely restricted to lin- 
ear functions with 0/1 coefficients. Moreover, in a generalization of this work 
presented in 27, [2I], the authors prove that, under certain hypotheses, linear 
functions are a large enough class of local ranking functions for a sound and 



''in contrast, an exact solver for non-linear constraints would probably require a truly 
symbolic computation, incurring a much more significant computational overhead. 
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complete termination criterion. Hence, for the class of programs they consider, 
termination is a decidable property. 

4. The Approach of Sohn and Van Gelder, Generalized 

As far as we know, the first approach to the automatic synthesis of ranking 
functions is due to Kirack Sohn and Allen Van Gelder ^ Q . Possibly due to 
the fact that their original work concerned termination of logic programs, Sohn 
and Van Gelder did not get the recognition we believe they deserve. In fact, as 
we will show, some key ideas of their approach can be applied, with only rather 
simple modifications, to the synthesis of ranking functions for any programming 
paradigm. 

In this section we present the essentials of the work of Sohn and Van Gelder 
in a modern setting: we will first see how the termination of logic programs can 
be mapped onto the termination of binary CLP(N) programs; then we will show 
how termination of these programs can be mapped to linear programming; we 
will then review the generalization of Mesnard and Serebrenik to CLP(Q) and 
CLP(R) programs and, finally, its generalization to the termination analysis of 
generic loops. 

From Logic Programs to Binary CLP(N) Programs 

Consider a signature St = ({t}, F, i?) and a denumerable set X of variable 
symbols. Let Tt be the set of all (St, -'^)-terms. A substitution 6* is a total 
function 9: X ^ Tt that is the identity almost everywhere; in other words, the 
set { a; e A I 6{x) ^ is finite. The application of 9 to t E Tt gives the term 
9{t) € Tt obtained by simultaneously replacing all occurrences of a variable x in 
t with 9{x). Consider a system of term equations E = {ti = mi, = Un}' a 

substitution 6* is a unifier oi E ii 9{ti) ~ 9{ui) ioi i — 1, . . . , n. A substitution 
^ is a most general unifier (mgu) of E if it is a unifier for E and, for any unifier 
T] of E, there exists a substitution ^ such that rj = S, ° 9. Let t and u be terms: 
we say that t and u are variants if there exist substitutions 9 and rj such that 
t = 9{u) and u = 

A formula of the form r(ti, . . . , t„), where r d R and ti, . . . , i„ € Tt is called 
an atom. A 1700^ is a formula of the form Bi, . . . , i?„, where n G N and Bi, 
. . . , Bn are atoms. The goal where n = 0, called the empty goal, is denoted by 
□ . A logic program is a finite set of clauses of the form H :— G, where H is 
an atom, called the head of the clause, and G is a goal, called its body. The 
notions of substitution, mgu and variant are generalized to atoms, goals and 
clauses in the expected way. For example, 9 is an mgu for atoms r{ti, . . . ,t„) 
and s(ui, . . . if r ~ s, n — m and 9 is an mgu for {ti — ui, . . . ,i„ = u„}. 

Left-to-right computation for logic programs can be defined in terms of 
rewriting of goals. Goal Si, . . . , i?„ can be rewritten to C( , . . . , C^, B2, . . . ,B'^ 
if there exists a variant of program clause H :— Ci, . . . , Cm with no variables 
in common with _Bi, . . . , the atoms H and Bi are unifiable with mgu 9, 
and C,[ = 9{Ci), for i = 1, . . . , m, Bj — 9{Bj), for j = 2, . . . , n. Computation 
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terminates if and when rewriting produces the empty goal. Notice that the 
computation, due to the fact that there may be several clauses that can be used 
at each rewriting step, is nondeterministic. 

Let nil, cons e perm, select G R and u, w, x, y, z G X. The following 
logic program defines relations over lists inductively defined by the constant 
nil, the empty list, and the binary constructor cons, which maps a term t and 
a list / to the list whose first element is t and the remainder is /: 



list(nil) 
list(cons(a;, y)) 
select(x, cons(a;, y), y) 
select(x, cons(?/, z), cons(y, w)) 
perm(nil, nil) 
perm(a;, cons(w, z)) 



-□; 

- list(2/); 

- list(2/); 

— select(x, z, w); 

-□; 

— select(u, X, y), perm(j/, z) 



(5) 



The program defines the unary relation list to be the set of such lists. The 
ternary relation select contains all (x, y, z) such that x appears in the list y, 
and z is y minus one occurrence of x. The binary relation perm contains all the 
pairs of lists such that one is a permutation of the other. 

A computation of a logic program starting from some initial goal can: termi- 
nate with success, when rewriting ends up with the empty goal; terminate with 
failure, when rewriting generates a goal whose first atom is not unifiable with 
the head of any (variant of) program clause; loop forever, when the rewriting 
process continues indefinitely. Because of nondeterminism, the same program 
and initial goal can give rise to computations that succeed, fail or do not ter- 
minate. A goal G enjoys the universal termination property with respect to a 
program P if all the computations starting from G in P do terminate, either 
with success or failure 

The idea behind this approach to termination analysis of logic programs 
is that termination is often ensured by the fact that recursive "invocations" 
involve terms that are "smaller". Rewriting of list(cons(ti, cons(i2, nil))), 
for example, results in list(cons(t2, nil)) and then list(nil). Various notions 
of "smaller term" can be captured by linear symbolic norms [6|, i30j| . Consider 
the signature Se = ({e}, {0, 1, +}, P U {=,<}). The set Te of (Ee,X)-terms 
contains affine expressions with natural coefficients. A linear symbolic norm is 
a function of the form 11 ■ 11 : Tt — Te such that 



1^11 



t. 



C+J2i=la■^\\t^ 



iftex, 
if t = 



■ 1 ^71)7 



where c and ai, . . . , a„ are natural numbers that only depend on / and n. The 
term-size norm, for example, is characterized by c = for each / G F^^t and by 



*The related concept of existential termination has a number of drawbacks and will not 
be considered here. See [2911 for more information. 
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c — 1 and ai — I for each / G F^^t C F\F^^t and i = 1, . . . , The list-length 
norm is, mstead, characterized by c = and ai — for each / ^ cons S ^tt,t, 
and hy c — a2 — 1 and ai = for the cons binary constructor. 

Once a hnear symbohc norm has been chosen, a logic program can be con- 
verted by replacing each term with its image under the norm. For example. 



using the list-length norm the above program becomes: 

list(O) :- □; (6) 

list(l + y) :- list(y); (7) 

select(a;,l :- list(y); (8) 

select(a;, 1 + z,l + w) :— select(a;, z, w); (9) 

perin(0,0) :- □; (10) 

perin(a;, 1 -\- z) :— select(w, x, y), perm(2/, z). (11) 



The program obtained by means of this abstraction process — we have replaced 
terms by an expression of their largeness — is a CLP(N) program. In the CLP 
(Constraint Logic Programming) framework [sij . the notion of unifiability is 
generalized by the one of solvability in a given structure. The application of 
most general unifiers is, in addition, generalized by the collection of constraints 
into a set of constraints called constraint stored In CLP(N), the constraints are 
equalities between afflne expressions in Tg and computation proceeds by rewrit- 
ing a goal and augmenting a constraint store F, which is initially empty, with new 
constraints. Goal i?2, . • ■ , Bn can be rewritten to Ci, . . . , Cm, i?2, • • • , Bn if 
there exists a variant H Ci, . . . , Cm of some program clause with no variables 
in common with Bi, . . . , _B„ such that H = p{ti, . . . , t„), Bi = p{ui, . . . , m„) 
and F' :=FU{ii — ui, . . . ,tn = u„} is satisfiable over the Se-structure given by 
the naturals, the functions given by the constants and 1 and the binary sum 
operation, and the identity relation over the naturals. In this case F' becomes 
the new constraint store. 

The interesting thing about the abstract CLP(N) program — let us denote 
it by a{P) — is that the following holds: if an abstract goal a{G) universally 
terminates with respect to a{P), then the original goal G universally terminates 
with respect to the original program P, and this for each linear symbolic norm 
that is used in the abstraction (see Section 6.1] for a very general proof of 
this fact). The converse does not hold because of the precision loss abstraction 
involves. 

We will now show, appealing to intuition, that the ability to approximate 
the termination behavior of programs constituted by a single binary CLP(N) 
clause, that is, of the form 

p{x) :- c[x,x],p{x'), (12) 



^The variant used in 0|, called structural term size, can be obtained by letting, for each 
/ S i^uj,t, c = \w\ and a; = 1 for i = 1, . . . , \w\. 

^We offer a self-contained yet very simplified view of the CLP framework. The interested 
reader is referred to [3ll |33 | . 
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where p is a predicate symbol, gives a technique to approximate the termination 
behavior of any CLP(N) program. 

The first step is to compute affine relations that correctly approximate the 
success set of the CLP(N) program. For our program, we can obtain (e.g., by 



standard abstract interpretation techniques [34l l35l[) 



list(2:) succeeds =^ true; 
select(a;, y, z) succeeds => z = y — I; 
perm(a;, y) succeeds =^ x = y. 

We now consider the clauses of the CLP(N) program one by one. Clause ^ does 
not pose any termination problem. Clause ([7]) is already of the form (fT2|) : we 
can call the engine described in the next section and obtain the ranking function 
f{x) = X for list(a;), meaning that the argument of list strictly decreases in 
the recursive call. We thus note that 

list(x) terminates if called with x G N. (13) 

Consider now clauses ([8|) and Q: for the former we simply have to note that 
we need to satisfy (|13p in order to guarantee termination; for the latter, which 
is of the form ()12p . we can obtain an infinite number of ranking functions for 
select(a::, y, z), among which arc f[x, y, z) = y (the second argument decreases) 
and f(x,y, z) — z (the third argument decreases). Summing up, for the select 
predicate we have 

select(a;, y, z) terminates if called with y E N and/or z e N. (14) 

Now, clause (fTO|) does not pose any termination problem, but clause (fTTj) is not 
of the form (fT2|) . However we can use the computed model to "unfold" the 
invocation to select and obtain 

perm(a;, 1 + z) y = x — 1, perm(y, z), (US) 

which has the right shape and, as far as the termination behavior of the entire 



program is concerned, is equivalent to ((TT|) 36|. From ([TTJ) we obtain, for 

e: 

(15) 



perm(a;, y), the ranking functions f{x,y) — x and f{x,y) = y. We thus note 
perm(x, y) terminates if called with a: e N and/or y gN 



and the call to select in (fTTj) terminates. 

Summarizing, we have that goals of the form perin(fc,?/), where k € N, sat- 
isfy pS]) : looking at clause pT|) it is clear that they also satisfy p^ : in turn, 
inspection of clause (O reveals that also is satisfied. As a result, we have 
proved that any invocation in the original logic program ([5]) of perm(a:, y) with 
X bound to an argument whose list-length norm is constant, universally termi- 
nates. It may be instructive to observe that this implementation of perm is not 
symmetric: goals of the form perin(a;, fc), where fc € N, fail to satisfy (fT5|) and, 
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indeed, it is easy to come up with goals perm(x, y) with y bound to a complete 
list that do not universally terminate in the original program. 

The procedure outlined in the previous example can be extended (in different 
ways) to any CLP(N) programs. As the precise details are beyond the scope 
of this paper, we only illustrate the basic ideas and refer the interested reader 
to the literature. The methodology is simpler for programs that are directly 
recursive^ i.e., such that all "recursive calls" to p only happen in clauses for pY\ 
Consider a directly recursive clause. This has the general form 

p{x) :- c, f3Q,p{xi), f3i,p{x2), 1^2, . ■ . ,p{xk), f3k, 

where the goals /3o, • • ■ : /3fc do not contain atoms involving p. The computed 
model is used to "unfold" /3o obtaining a sound approximation, in the form of 
a conjunction of linear arithmetic constraints, of the conditions upon which the 
first recursive call, p{xi) takes place. If we call ci the conjunction of c with 
the constraint arising from the unfolding of /3q, we obtain the binary, directly 
recursive clause 

p{x) :- Ci,p{xi). 

We can now use the model to unfold the goals p{xi) and /3i and obtain a 
constraint that, conjoined with ci, gives us C2, a sound approximation of the 
"call pattern" for the second recursive call. Repeating this process we will obtain 
the binary clauses 

p{x) :- C2,p(x2), 
p{x) :- Ck,p{xk). 

We repeat this process for each clause defining p and end up with a set of 
binary clauses, for which a set of ranking functions is computed, using the 
technique to be presented in the next section. The same procedure is applied 
to each predicate symbol in the program. A final pass over the original CLP(N) 
program is needed to ensure that each body atom is called within a context that 
ensures the termination of the corresponding computation. This can be done as 
follows: 

1. A standard global analysis is performed to obtain, for each predicate that 
can be called in the original CLP(N) program, possibly approximated but 



^For a CLP(N) program P, let Hp be the set of predicate symbols appearing in P. On the 
set Hp, we define the relation '— such that p q ii and only if P contains a clause with p 
as the predicate symbol of its head and q as the predicate symbol of at least one body atom. 
Let be the reflexive and transitive closure of '— The relation defined by p ~ q if and 

only if p — q and q —>* p is an equivalence relation; we denote by [p]~ the equivalence class 
including p. A program P is directly recursive if and only if, for each p £ Hp, {p]~ = {p}- A 
program P is mutually recursive if it is not directly recursive. 
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correct information about which arguments are known to be definite, i.e., 
constrained to take a unique value, in each call to that predicate (see, e.g.. 



2. For each recursive predicate that may be called, it is checked that, for each 
possible combination of definite and not-known-to-be-definite arguments, 
there is at least one ranking function that depends only on the definite 
arguments. 

The overall methodology can be adapted to mutually recursive programs, either 
by a direct extension of the above approach (see, e.g., @) or by more advanced 
program transformations (see, e.g., [38|). 

4.2. Ranking Functions for Binary, Directly Recursive CLP(N) Programs 

In order to show how ranking functions can be computed from directly re- 
cursive binary CLP(N) clauses, we deal first with a single clause 

p{x) :- c[x,x'],p{x'), 

where p is a predicate symbol, x and x' are disjoint n-tuples of variables, and 
c[x, x'] is a linear constraint involving variables in a; U The meaning of such 
a clause is that, if p is called on some tuple of integers x, then there are two 
cases: 

• c[x, x'] is unsatisfiable (i.e., there does not exist a tuple of integers x' that, 
together with x, satisfies it), in which case the computation will fail, and 
thus terminate; 

• there exists x' such that c[a;,a;'] holds, in which case the computation 
proceeds with the (recursive) calls p{x'), for each x' such that c[a;,a;']. 

The question is now to see whether that recursive procedure is terminating, 
that is whether, for each a; G N", the call p{x) will only give rise to chains of 
recursive calls of finite length. The approach of Sohn and Van Gelder allows to 
synthesize a function /p : N" N such that 



This means that the measure induced by fp strictly decreases when passing from 
a call of p to its recursive call. Since the naturals are well founded with respect 
to '<', this entails that p, as defined in (fT2|) . is terminating. 

A very important contribution of Sohn and Van Gelder consists in the algo- 
rithm they give to construct a class of functions that satisfy (fT6)) . The class is 
constituted by linear functions of the form 



37|). 




(16) 



n 




(17) 



8 



As usual, we abuse notation by confusing a tuple with the set of its elements. 
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where /i^ G N, for i = 1, . . . , n. For this class of functions and by letting 
p, = {ill, . . . , /i„), condition (|16p can be rewritten as 

n n 

3/2 e N" . Vx, x' e N" : c[x, x'] ^ n^x^ - ^ //,a;- > 1. (18) 

i=l 1=1 

Given that c[x, x'] is a linear constraint, for any choice of /i S N" we can easily 
express (jlSp as an optimization problem over the naturals. In order to move 
from tuple notation to the more convenient vector notation, assume without 
loss of generality that, for some m G N, Ac G Z'"x2n g^^^j 5^ ^ g^j-g g^ch that 
Ac{x,x') > be is logically equivalent to c[a;,a;'] under the obvious, respective 
interpretations. Then, for any candidate choice oi fi € N", condition (fT5)) is 
equivalent to imposing that the optimization problem 

minimize 6 = (/x, — x') 

subject to Ac{x,x') > be (19) 
X, x' G N" 

is either unsolvable or has an optimal solution whose cost 9 is such that 6 >\. If 
this is the case, then induces, according to ([T7|. a function /p satisfying (ITB)) . 
Notice that, for any fixed choice of /x G N", 6* is a linear expression and hence 
(jl9p is an integer linear programming (ILP) problem. This gives us an expensive 
way (since ILP is an NP-complete problem [39|) to test whether a certain /x G N" 
is a witness for termination of (|12p. but gives us no indication about where to 
look for such a tuple of naturals. 

A first step forward consists in considering the relaxation of ((T^ obtained by 
replacing the integrality constraints a;, a;' G N" with a;, a;' G Q!f.. This amounts 
to trading precision for efficiency. In fact, since any feasible solution of is 
also feasible for the relaxed problem, if the optimum solution of the latter has a 
cost greater than or equal to 1, then either (IT9|) is unfeasible 01 > 1. However, 
we may have ^ > 1 even if the optimum of the relaxation is less than l|^ 
On the other hand, the relaxed problem is a linear problem: so by giving up 
completeness we have passed from an NP-complete problem to a problem in P 
for which we have, in addition, quite efficient algorithms^ Furthermore, we 
observe that although the parameters fj. are naturals in ()18p , this condition can 
be relaxed as well: if /x G Q" gives a relaxed problem with optimum greater 
than 1, then we can multiply this vector by a positive natural so as to obtain a 
tuple of naturals satisfying ([T8|. The relaxation can now be written using the 



^Let us consider the clause: p(x) :— 2x > 2x' + l,p{x') with /i = 1. The optimization over 
the integers leads to ^ = 1, whereas the optimization for the relaxation has 9 = 

^"We denote by P the class of problems solvable in weakly polynomial time. For a formal 
definition of P and the notion of NP-completeness we refer the reader to, e.g., [40| . 
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standard linear programming (LP) notation: 

minimize {fi,—fj,)'^{x,x') 

subject to Ac{x,x') > be (20) 
{x,x') > 0. 

We still do not know how to determine the vector of parameters fi so that 
the optimum of (|20l) is at least 1, but here comes one of the brilliant ideas of 
Sohn and Van Gelder: passing to the dual. It is a classical result of LP theory 
that every LP problem can be converted into an equivalent dual problem. The 
dual of (Eni) is 

maximize b^y 

subject to A^y < (/x, —fi) (21) 

y > 0, 

where y is an m-column vector of (dual) unknowns. Duality theory ensures that 
if both (|20l) and ((2T|) have bounded feasible solutions, then both of them have 
optimal solutions and these solutions have the same cost. More formally, for 
every choice of the parameters fj, € Q" , if {x, x') G Q^" is an optimal solution 
for (PD|) and y G is an optimal solution for (HI]), then {fi, —fi)'^ {x,x') = 
b^y. Moreover, if one of (pn)) and (I^TI) is unfeasible, then the other is either 
unbounded or unfeasible. In contrast, if one of (1201) and (|2ip is unbounded, 
then the other is definitely unfeasible. 

Thus, thanks to duality theory, the LP problems (f20| and (f2T|) are equivalent 
for our purposes and we can consider any one of them. Suppose we analyze the 
dual problem ([2T|) : 

• If pT|) is unfeasible then either ([20| is unfeasible, which implies trivial 
termination of ()12[) . or (|20p is unbounded, in which case — since we are 
working on relaxations — nothing can be concluded about whether fi de- 
fines a ranking function for ((T^ . 

• If (pij) is feasible and unbounded then (PD|) is unfeasible and ([T^ trivially 
terminates. 

• If (|2ip is feasible and bounded, then we have proved termination (fi in- 
duces a ranking function) if the cost of the optimal solution is at least 1 
(actually, any positive rational could be used instead of 1). The analysis 
is inconclusive otherwise. 

The crucial point is that, in (j2ip . the parameters /x occur linearly, whereas 
in ([20]) they are multiplied by {x, x'). So we can treat /x as a vector of variables 
and transform ()21l) into the new LP problem in m -|- n variables 

maximize (be, 0)^(y, /x) 

subject to (^Al ^ (y, /x) < (22) 
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The requirement that, in order to guarantee termination of (jl2p . the optimal 
solutions of ((20|) and (|211) should not be less than 1 can now be captured by 
incorporating bjy > 1 into the constraints of (P^. yielding 



There are several possibilities: 

1. If (1231) is unfeasible, then: 

(a) if ((22)) is unfeasible, then, for each fj, G Q" , (|2T|) is unfeasible and: 

i. if (|20|) is unfeasible, then (|12p trivially terminates; 

ii. otherwise (|20|) is unbounded and we can conclude nothing about 
the termination of ([T2|) . 

(b) If (P^ is feasible, then it is bounded by a rational number q < 1. 
Thus, for each /i G extracted from a feasible solution (y, /i) G 
Q™+" of ([22]), the corresponding LP problem ([21]) is also feasible, 
bounded, and its optimum g' G Q is such that q' < q < 1. Moreover, 
we must have q' < 0. In fact, ii q' > 0, problem (|20|) instantiated over 
/i' := p,/q' would have an optimal solution of cost 1; the same would 
hold for the corresponding dual (HH, but this would contradict the 
hypothesis that ([22)) is bounded by q < 1. Hence q' < 0. Since by 
duality the optimum of problem ()20|) is g', the analysis is inconclusive. 

2. If ^ is feasible, let (y, fi) G Q"'+" be any of its feasible solutions. 
Choosing /i for the values of the parameters, (|2T)) is feasible. There are 
two further possibilities: 

(a) either (|2T)) is unbounded, so (fT2)) trivially terminates; 

(b) or it is bounded by a rational q > 1 and the same holds for its 
dual (|20)). 

In both cases, p,, possibly multiplied by a positive natural in order to get 
a tuple of naturals, defines, via (flT)) . a ranking function for (fT2)) . 

The above case analysis boils down to the following algorithm: 

1. Use the simplex algorithm to determine the feasibility of (|23)). ignoring 
the objective function. If it is feasible, then any feasible solution induces 
a linear ranking function for ()12p : exit with success. 

2. If (|23)) is unfeasible, then try to determine the feasibility of (fT9)) (e.g., 
by using the simplex algorithm again to test whether the relaxation ()20p 
is feasible). If (|19p is unfeasible then (|T2)) trivially terminates; exit with 
success. 

3. Exit with failure (the analysis is inconclusive). 

An example should serve to better clarify the methodology we have em- 
ployed. 



maximize 



:bc,0)-(y,/x) 



subject to 




(23) 
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Example 4.1. In the CLP(N) program 



p{xi,X2) :- xi < 1 A 0:2 = 0, 

p{xi,X2) :— xi > 2 A 2x[ + 1 > xi A 2x\ < x\ A x'^ + \ = X2,p{x[,x'2), 



p{xi,X2) is equivalent to 



X2 



[log2(a;i)J, ifa;i7^0; 
0, otherwise. 



The relaxed optimization problem in LP notation d^H]) i j"! 

minimize A^2, -fJ-i, ~^J■2y {xi,X2,x[,X2) 



subject to 



/I \ 
-10 2 
10-20 
10-1 
\ -1 1 / 

Xi,X2:X[,x'2} > 0, 



X2 
X[ 

V2J 



> 



/2\ 

-1 

1 



and the dual optimization problem (j2ip is 

maximize (2, -1, 0, 1, -l)'^(2/i, y2, 2/3, Vi, 2/5) 

fyi\ 

subject to n o "o n n"^ 2/3 < 

(yi,y2,y3, 2/4,^5) > 0. 



/I 


-1 


1 
















1 


-1 





2 


-2 
















-1 


1/ 



Incorporation of the unknown coefficients of /x among the problem variables 
finally yields as the transformed problem 



subject to 



2,-1,0,1, 


-l,0,0)-(2/i 


,2/2,2/3,2/4,2/5,^1 


,^J■2) 












(yi\ 




/ 1 -1 


1 


-1 


o\ 




2/2 









1 


-1 


-1 




2/3 







2 


-2 


1 







2/4 


< 








-1 


1 


1 




2/5 







V-2 1 


-1 


1 






Ml 



















(24) 



(2/1,2/2,2/3,2/4,2/5,^1,^2) > 



^^We will tacitly replace an equality in the form a = /3 by the equivalent pair of inequalities 
o > /3 and —a > — /3 whenever the substitution is necessary to fit our framework. 
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This problem is feasible so this CLP(N) program terminates. Projecting the 
constraints of (p4)) onto fi we obtain, in addition, the knowledge that every n 
with /ii + /i2 ^ 1 gives a ranking function. In other words, fiiXi + (12X2 is a 
ranking function if the non- negative numbers /ii and fi2 satisfy /^i + /i2 > 1. 

The following result illustrates the strength of the method: 

Theorem 4.2. Let C be the binary CLP(Q+) clause p{x) :— c[x,x'],p{x'), 
where p is an n-ary predicate and c[x, x'] is a linear satisfiable constraint. Let 
plrf (C) be the set of positive linear ranking functions for C and svg(C) be the 
set of solutions of ([25)) projected onto /j,, that is, 

n n 

Vx, x' G Q" : c[x, x'] =^ p-iXi — /i^x^ > 1 



1=1 1=1 



plrf(C) := I M e C 
svg(C) := { /i e Q" I (y, p,) is a solution of ([231) }■ 
Then plrf(C) =svg(C). 

Proof. As c[x,x'] is satisfiable, problem ([20)) is feasible. We prove each inclu- 
sion separately. 

svg(C) C plrf(C). Assume that ([23)) is feasible and let be a solution 

of ([23)) . For this choice of p,, the corresponding LP problems ([20)) and ([2T)) are 
bounded by 5 > 1 (case 2b of the discussion above). So /i e plrf(C). 

plrf(C) C svg(C). Let us pick fi E plrf(C). For this choice, the corresponding 
LP problem ([20)) is bounded by r > 1, so is its dual ([2T)). Let y be an optimal 
solution for ([2T)) . Thus {y^lj) is a feasible solution of ([22)) and ([23)) . Hence 
/i G svg(C). 

As an immediate consequence, the question "does a given binary recursive 
clause with linear constraint admit a positive linear mapping?" can be solved 
in weakly polynomial time. 

Corollary 4.3. Let C be the binary CLP(Q+) clause p{x) :— c[x,x'],p{x'), 
where c[x, x'] is a linear satisfiable constraint. The decision problem plrf (C) — 
is in P. 

Proof. By Theorem 14.21 the problems plrf(C) — and svg(C) — are equiv- 
alent. So, if ()23p is feasible then the answer is no: as c[a;,ir'] is satisfiable, we 
are in case (2)(b). Otherwise, again because of the satisfiability of c[a;,a;'], ei- 
ther ([20)) is unbounded (case (l)(a)ii. or it is bounded by g' < (case (l)(b)). 
In both cases, the answer is yes. Finally, testing the satisfiability of a linear 
system, as well as computing one of its solutions — and thus computing one 
concrete linear ranking function — , is in P (see, e.g., [401). 
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For the case where we have more than one directly recursive binary CLP(N) 
clauses, Ci, . . . , C„, the set of global positive linear ranking functions, i.e., that 
ensure termination whichever clause is selected at each computation step, is 
given by nr=i svg(Ci). This can be computed by taking the conjunction of the 
constraints obtained, for each clause, from the projection of the constraints of 
the corresponding linear problem (|23l) onto fi. 

To summarize, the main contribution of Sohn and Van Gelder lies in their 
encoding of the ranking function search problem into linear programming and 
their use of the duality theorem. As we will see, this idea is amenable to a 
generalization that makes it widely applicable to any programming paradigm, 
not just (constraint) logic programming. 

4-.3. The Generalization by Mesnard and Serebrenik 

Fred Mesnard and Alexandre Serebrenik have generalized the method of 
Sohn and Van Gelder from the analysis of logic programs to the analysis of 
CLP(Q) and CLP(M) programs in 1^ 12 1- In the following, for presentation 



12 



purposes and without loss of generality, we consider the case of rational- valued 
variables. They use a class of affine ranking functions of the form 

n 

fp{yi,---,yn) = no + ^f^iVt, (25) 

i=l 

where /i^ £ Q, for i = 0, . . . , n. Allowing for rational- valued coefficients /ii and 
variables yi (both the /i^'s and the j/i's were naturals in Q) implies that ((25 
does not necessarily define a nonnegative function and that Zeno sequence 
are not automatically excluded. Consequently, to avoid these two problems, 
condition is strengthened tcP^ 

Wx, x' e Q" : c[x, x'] =^ {fp{x) > 1 + fp{x') A fp{x) > O) . (26) 

Note that the choice of the numbers 1 and in the right hand side of the above 
implication preserves generality: the general form of the former condition, i.e., 
fp{x) > e + fp{x') for a fixed and strictly positive e G Q+, can be transformed 
as shown in Section [3l and the general form of the latter, i.e., fp{x) > b for 
a fixed e Q, can be transformed into fp{x) > by a suitable choice of /xq. 
Condition (1^51) can be rewritten as 



Vx, e Q" : c[x, x'] =^ [J2l^^^' - 5Z > 1 A Mo + XI l^'^' - ^ ) • (27) 



i=l 



Using the same notation chosen for ([T5|) . the existence of a ranking function 
can now be equivalently expressed as the existence of a solution of cost at least 



l^Such as 1, i, i, |, 

13 f 



'Our presentation is strictly more general than the formulation in [l6lll7(|. which imposes 
that fp{x) > 1 + fp{x') A /p(x') > 0. 
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1 to the former and a solution of cost at least to the latter of the following 
optimization problems; 



minimize {fi, —/j,)'^ {x,x') 
subject to Ac{x,x') > be 



minimize {p,,0)'^ {x,x') 
subject to Ac{x,x')>bc 



(28) 



where the extended vectors p, :— (/io, m) ^^.d x := {xq, x) include the parameter 
/iQ and the new variable xq, respectively, and the extended matrix and vector 



and 5c := (1, -l,bc) 



encode the additional constraint a;o = 1- 

Reasoning as in Section |4?2| the problems ()28|) can then be transformed, ap- 
plying the suitable form of the duality theorem, into the following dual problems 
over new vectors of variables y and 2;, ranging over Q™ and ^2™+^, respectively: 




maximize b^y 

subject to A^y = (/i, — /i,) 

y > 



maximize b^z 

subject to A^z = {p., 0) (29) 
z> 



Now the condition that the optimal solution is at least 1 (resp., 0) can 
be added to the constraints, thus reducing the optimization problems (|28p to 
testing the satisfiability of the system: 

y>o 



biz > 
A-z={fi,0) 
z> 



or equivalently, after incorporating the parameters fi (resp., /t) into the vari- 
ables, to the generalization to Q of problem (1^^ : 



I 

1 T I 



I T 

I T 

I J 




















A 









J 


[--TJ 









It I \ 
I 

1 

_4T I -« 

I 

L 

I 



1 n+l 





I m+2 







-K t 



{z,il)<0. (30) 



The following completeness result generalizes Theorem 
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Theorem 4.4. Let C be the binary CLP (Q) clause p{x) :— c[x,x'],p{x'), where 
p is an n-ary predicate and c[x,x'] is a linear satisfiable constraint. Let Irf(C) 
be the set of linear ranking functions for C and ms(C) be the set of solutions 
of (1301) projected onto p,, that is, 



Irf(C) ■.= {ile 



Vx, e Q" : c[x, x'] =^ 1 
ms(C) := { /i e | {y,fi) and {z,fl) are solutions of the problems ([50]) }. 



Then Irf(C) = ms(C). 

Proof. We use Z and r as subscripts of our references to the LP problems 
(|29|) . and (pO)) to denote the LP problems on the left and the LP problems on 
the right. 

ms(C) C Irf (C). Assume that (150)) is feasible and let (y, p,) be a solution of ([5(7|; 
and {ZjpL) be a solution of (|30L . For this choice of p, the corresponding LP 
problems (pO)) ; and (P5| j arc bounded by 1 while the corresponding LP prob- 
lems (Unir and (1^51) ^ are bounded by 0. Hence we have 

n n 

Vx, a;' e Q" : c[x, x'] => ^ ^^0;^ — ^ ^io;- > 1 

i=l i=l 
n 

, x' e Q" : c[x, x'] => Mo + ^ Mia^z > 0. 



and 



i=l 



Thus 

n n n 

Vx, x' e Q" : c[x, x'] =^ ^ fiiXi - ^ /^jX^ > 1 A + ^ HtXi > 0, 

i— 1 i—1 i—1 

SO that /i e Irf(C). 

Irf(C) C ms(C). Let us pick p G Irf(C). For this choice, the corresponding LP 
problem (^5)) are bounded by 1 and 0, and so are their duals (PUI) . Let y be an 
optimal solution for (1^ ;. Thus {y,n) is a feasible solution of ([5(7)) ;. Similarly, 
let 2 be an optimal solution for (|^ ^. Thus (z, /i) is a feasible solution of dSHjlr- 
Hence p, G ms(C). 

Moreover, even for the case of the linear fragment of CLP(Q) — and CLP(R) — 
checking for the existence of a linear ranking function is a weakly polynomial 
problem. 

Corollary 4.5. LetC be the binary ChP (Q) clause p{x) :— c[x,x'],p{x'), where 
c[x, x'] is a linear satisfiable constraint. The decision problem Irf (C) = is inP . 
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A space of ranking functions can be obtained (at a computational price that 
is no longer polynomial) by projecting the constraints of (pO| onto /i. Any (I 
satisfying all the projected constraints corresponds to one ranking function that, 
subject to c[a;,a;'], is bounded from below by and that decreases by at least 1 
at each iteration. From these "normalized" ranking functions, the opposite of 
the transformation outlined in Section |3] allows to recover all affine ranking 
functions: these are induced by the set of parameters 

{ {h, fc/x) I (^0, m) e M{C),h e Q, fc e Q+ \ {0} }. (31) 

4-.4- Application to the Analysis of Imperative While Loops 

The generalization of Mesnard and Serebrenik can be used, almost un- 
changed, to analyze the termination behavior of imperative while loops with 
integer- or rational- valued variables. Consider a loop of the form i.e., 
{ / } while B do C where / is known to hold before any evaluation of B and C 
is known to always terminate in that loop. Termination analysis is conducted 
as follows: 

1. Variables are duplicated: if x are the n variables of the original loop, we 
introduce a new tuple of variables x' . 

2. An analyzer based on convex polyhedra [41] is used to analyze the following 
program: 

{1} 

ifB[x'/x]then (32) 
C[x'/x] 
★ 

Let the invariant obtained for the program point marked with be 
c[a;,a;']; this is a finite conjunction of linear constraints. 

3. The method of Mesnard and Serebrenik is now applied to the CLP(Q) 
clause p{x) :— c[x, x'],p{x'): if termination can be established for that 
clause, then the while loop we started with will terminate. 

Notice how the clause p{x) :— c[x,x'],p{x') approximates the termination 
behavior of the loop: if we interpret the predicate p applied to x as "the loop 
guard is evaluated on values a;," then the clause can be read as "if the loop 
guard is evaluated on values x, and c[i,i'] holds, then the loop guard will be 
evaluated again on values x'." 

We illustrate the overall methodology with an example. 
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Example 4.6. The following program, where Xi and y take values in Z, com- 
putes and stores in X2 the integer base-2 logarithm of xi if xi > 0, otherwise: 

X2 0; 

{xi > Axs > 0} 
while xi > 2 do 
xi := xi div 2; 

X2 := X2 + 1 

where the loop invariant {xi > 0Aa;2 > 0} has been obtained by static analysis. 
After the duplication of variables, we submit to the analyzer the program 

{xi > Axs > 0} 

'.— X2 '■— x^'i 
if x'l > 2 then 

x'l := x'l div 2; 

X2 X2 ~\~ 1 

* 

and we obtain, for program point the invariant 

a;i > 2 A 2x1 + 1 > xi A "^^'i < 2^1 A xj, = a;2 + 1 A > 1. 

Applying the method of Mesnard and Serebrenik we obtain that, for each 
1^0, 1-^1, G Q such that /ii — /12 > 1, M2 > 0, and /iq + 2/j,i > 0, the function 
f{xi,X2) ■= jJLo + fjiixi + ^2X2 is a ranking function for the given while loop. 
It is interesting to observe that the first constraint guarantees strict decrease 
(at least 1), the addition of the second constraint guarantees boundedness from 
below, while the further addition of the third constraint ensures nonnegativity, 
i.e., that is a lower bound. 

4-5. Application to Conditional Termination Analysis 

An important observation is that the method of Mesnard and Serebrenik is 
immediately applicable in conditional termination analysis. This is the problem 
of (automatically) inferring the preconditions under which code that does not 
universally terminate (i.e., there are inputs for which it does loop forever) is 
guaranteed to terminate. This problem has been recently studied in [42| , where 
preconditions are inferred under which functions that are either decreasing or 
bounded become proper ranking functions. The two systems in (|30p . projected 
onto jl, exactly define the space of non-negative candidate ranking functions 
and the space of decreasing candidate ranking functions, respectively. While 
this is subject for future research, we believe that the availability of these two 
spaces allows to improve the techniques presented in (4^ . 
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5. The Approach of Podelski and Rybalchenko 



Andreas Podelski and Andrey Rybalchenko 0] introduce a method for find- 
ing linear ranking functions for a particular class of unnested while loops that, 
with the help of a preliminary analysis phase, is indeed completely general. 

Consider a while loop of the form 

{1} 

while B do 

▼ (33) 

C 

* 

in which variables Xi, . . . , Xn occur. Suppose we have determined (e.g., by a 
data-flow analysis based on convex polyhedra) that the invariant 

n 

'^gk,iXt<bk, for A: = 1, . . . , r, (34) 



holds at the program point marked with 'T', while the invariant 

n n 

'^a'^. ^x'^<^^ak^iXi+bk, for k ^ r + 1, . . . , r + s, (35) 

i=l i=l 

holds at the program point marked with where unprimed variables represent 
the values before the update and primed variables represent the values after the 
update, and all the coefficients and variables are assumed to take values in 

The inequalities in (1341) can be expressed in the form psp by just defining 
a'f. j :— and ak^i '■= —gk,i for i = 1, . . . , n and fc = 1, . . . , r. The conjunction 
of (p4)) and (|35|) can now be stated in matrix form as 




where the matrix (A A') is obtained by juxtaposition of the two {r + s) x n 
matrices A := {—ak.i) and A' := {a'^. J, b := {bi, 62, ... , ^r+s) and, as explained 
in Section[21 {x, x') is obtained by juxtaposing the vectors x :~ {xi, X2, ■ ■ ■ , Xn) 
and x' :— {x'l, x'2, ■ ■ ■ , ^n)- 

Podelski and Rybalchenko have proved that ([33| is guaranteed to terminate 
on all possible inputs if there exist two (r-l-s)-dimensional non- negative rational 
vectors Ai and A2 such that 111 



^■'In Q variables are said to have integer domain, but this restriction seems unnecessary 
and, in fact, it is not present in [43||. 

^^For an informal justification of these equations, see Section l5.2l a more detailed explana- 
tion is provided in Section 15.31 
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XJA' = 0, 



(Ar-A^)A 



0, 
0, 



X^b < 0. 



(37a) 
(37b) 
(37c) 
(37d) 



Note that we have either zero or infinitely many solutions, since if the pair of 
vectors Ai and A2 satisfies the constraints, then the pair A:Ai and kX2 satisfies 
them as well, for any k S Q+ \ {0}. Podelski and Rybalchenko proved also the 
following completeness result: if the iterations of (|33|) are completely character- 
ized by conditions (IM)) and ([55]) — in which case they call it a "simple linear 
loop" — then Ai, A2 G Q^^'^ satisfying conditions p7ap - (|37dp exist if and only 
if the program terminates for all inputs. 

5.1. Generation of Ranking Functions 

For each pair of vectors Ai and A2 satisfying the conditions p7a|) - (j37dp . a 
linear ranking function for the considered program can be obtained as 



X'^A'x. 



(38) 



In Q a slightly more complex form is proposed, namely: 



X^A'x, 



if there exists x' such that ( A A 




< b 



(A2 — Xi)b, otherwise. 



(39) 

but the extra provisions are actually necessary only if one is interested into an 
"extended ranking function" that is strictly decreasing also on the very last 
iteration of the loop, that is, when the effect of the command C is such that x 
would violate the loop guard B at the following iteration. As this more complex 
definition does not seem to provide any additional benefit, we disregard it and 
consider only the linear ranking function p8|) . 



Example 5.1. Consider again the program of Example 14.61 The invariants in 
the forms dictated by (|34p and ([35|) are given by the systems {—Xi < —2, —x'2 < 
— 1} and {2x'i < xi, —2x[ — l < —xi, —x'^ < — 2:2 — 1, x'2 < a;2 + l}, respectively. 
These can be expressed in the matrix form p6p by letting 

/-2\ 

1 

-1 
1 

v-v 

Two non-negative rational vectors solving the system (|37p are, for instance, 
Ai = (2, 0, 0, 0, 0, 0)^ and A2 = (1, 1, 0, 0, 0, 0)^. 



A := 



/- 


-1 






-1 







1 










1 







-1 


V 





0/ 



A' := 












2 







-2 










-1 







1 


V 





-1/ 



30 



5.2. Justification of the Approach 

A reader of [?} wonders where the method of Podelski and Rybalchenko 
comes from. In fact, the paper does not give an intuition about why conditions 
(|37ap - (|37dl) imply termination of (|33l) . Those conditions can be mapped into a 
strengthening, tailored to the linear case, of the well known Floyd termination 
verification conditions^ but such a higher level view needs to be extracted, 
with some effort, from the details of the proof of 0, Theorem 1]. The relative 
completeness of the approach is then proved in 0, Theorem 2] by exploiting the 
afhne form of Farkas' Lemma, showing that such a strengthening is unconse- 
quential for the case of linear ranking functions and simple linear loops. 

5.3. Interpretation in Terms of Lagrangian Relaxation 

The intuitive reading hidden in the proof details mentioned above is made 
explicit in [23i, Section 6.2], where Patrick Cousot hints that the method by 
Podelski and Rybalchenko can be derived from the Floyd termination verifica- 
tion conditions by application of Lagrangian relaxation^ We now show that 
this is indeed the case. 

Assuming we are dealing with affine ranking functions and adding the lim- 
itation that r = 1 in in (2^ the existence of an afhne ranking function is 
formalized, following Floyd's method, by requiring the existence of /x G Q" and 
/zo, (5 e Q such that: 

Va; € Q" : cri(a;,a;') > fi^x + fio>0, 

rn 

Va;, x' e Q" : /\ {ak{x, x') > O) => fi^{x - x') - S > 0, 

k=l 

(5 > 0, 

where the loop is described by the inequalities ak{x, x') > 0, with ai being the 
inequality in p4l) . These are provided with the usual intuitive reading: the first 
implication states that the ranking function is always nonnegative at the head 
of the loop body; the second implication makes sure that the ranking function 
is decreasing on each loop iteration; the last constraint makes sure that such a 
decrease is strictly positive. 

By applying Langrangian relaxation, the two implications can be simplified 
away by introducing new, existentially quantified variables a £ Q+ and f3 £ Q™, 



^"A. Rybalchenko, personal communication, 2011. 

^^Lagrangian relaxation is a standard device to convert entailment into constraint solving: 
given a finite dimensional vector space V, a positive integer n and functions /fc : V — >■ 5J for 
k = 0, . . . , n, the property that, for each a; g V, Afc=i fkis"^) ^ /o(^) ^ can be relaxed 

to proving the existence of a vector a € Q" such that, for all a; £ V, fo{^)~'Yl^—\ '^kfki^) ^ 0- 
If the /j. are affine functions, the latter condition is equivalent to the former. 
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obtaining: 

fi^x + fj.0 — oiG\ (a;, a;') > 0, 

k=l 

S>0. 

The limitation that r = 1 can actually be removed as long as a is replaced 
by a vector a € Q!j_. The generalization yields 

r 

H'^x + ^0 -^ak(7k{x,x') > 

A,-l 
m 

fi-'ix - x') - S -J2Pk<Jk{x,x') > 

fc=i 

6>0. 

If, and this is the case in the Podelski and Rybalchenko method, the constraints 
(7k{x,x') for fc = 1, . . . , m are affine functions of {x,x'), the sums can be 
interpreted as matrix products and the conditions rewritten as follows, where 
A, A' and b are the same as in ([55)1 : 

((/x,0,/io)"-(a,0)"(-A -A' b)yx,x',l}>0 (40a) 

((m, -/J, -(5)^ - (-A -A' b)yx,x\l)>0 (40b) 

(5 > (40c) 

Note that the inequalities (|40aP ~ (j40cP must hold for every possible value of x 
and x' in the whole space Q". Therefore, by a suitable choice of x and x', 
each element of the coefficient vectors in (|40ap and (j40bp can be shown to be 
necessarily zero. We define Ai = (a, 0) and A2 — obtaining: 

H = -\IA, fi = -A^A, 

0= A^A', ^/x=-A^A', 
Ho = A^b, -(5 = X^b, S>0. 

These relations can finally be rearranged to yield: 

ATA' = 0, 
(A? - ADA = 0, "llf^ 
AJ(A + A') = 0, '^^^^'^^ 
A56<0, ^ 



"We explicitly require that the extra coefBcients added to a be zero for consistency with the 
derivation. However, even though Podelski and Rybalchenko admit any nonnegative rational 
numbers to appear in those positions of Ai, there is no loss of generality: the synthesized 
ranking functions Il38|l do not depend on these coefficients. 



32 




where the conditions p7ap - p7dD appear on the left hand side and the conditions 
on the coefficients of the synthesized ranking functions appear on the right hand 
side, expressed in terms of Ai and A2. 

5.4. An Alternative Implementation Approach 

As long as the distinction between invariants and ([55)) is retained, the 
method of Podelski and Rybalchenko can be implemented following an alterna- 
tive approach. The linear invariants p6p are more precisely described by 



(41) 



where Ab e Q'^''", Ac e Q"''", A'^ e Q"""", bs e Q^ be G Q". As shown 

in Section 15.31 the existence of a linear ranking function for the system ()4ip is 

equivalent to the existence of three vectors Vi £ Q"^, V2 G Q!j., ^3 G such 
that 

{vi-V2VAb-v^,Ac = 0, (42a) 

v^Ab+vI{Ac + A'c)=0, (42b) 

V2bB+V3bc<0. (42c) 

As already noted, the two vectors of the original Podelski and Rybalchenko 
method can be reconstructed as Ai = (i'i,0) and A2 = {v2,vs). 

Note that the same approach is still valid when starting from the single 
matrix form p6p in full generality, i.e., when we can't assume that the distinction 
between invariants and ([55)1 has been retained or that invariants are listed 
in the order we used to build the matrix form p6p: it is enough to apply 
a straightforward permutation to p6p to rearrange it in the form (1411) . In 
that case, due to the permutation involved, we would solve a different linear 
programming problem; however, we still obtain the same space of linear ranking 
functions wc would have obtained by applying the original method starting from 
the matrix form p6p . as we prove using the following lemma. 

Lemma 5.2. Let S be the space of linear ranking functions obtained by applying 
the method of Podelski and Rybalchenko to [A A') {x,x') < b, i.e., 

S := { {X^A',\Jb) e (Q"+i I (Ai, A2) is a solution of §7i) }, 

and let P £ q(''+'')x(^+s) a permutation matrix\^ Then the application of 
the method of Podelski and Rybalchenko to P (A A') {x, x') < Pb yields the 
same space of linear ranking functions S . 



i9We recall that a fc-dimcnsional permutation matrix is a square matrix obtained by a 
permutation of the rows or columns of the fc-dimensional identity matrix. 
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Proof. The system ([57)) corresponding to P (^A A') (a;, x') < Pb becomes 



VIPA' = 0, 

rjlP{A + A')=0, 
rilPb < 0, 



(43a) 
(43b) 
(43c) 
(43d) 



to be solved for the two (r + s)-dimensional non-negative rational vectors J71 
and r/2- 

Now, (Ai, A2) is a solution of (|37p if and only if (Ai, A2)P^^ is a solution 
of (|43|) : on one side, if (Ai,A2) is a solution of ([37]) then (771,772) defined as 
(771,772) (Ai,A2)P~^ is a solution of (j43|); on the other side, if (771,772) is 
a solution of (|43l) then (Ai,A2) defined as (Ai, A2) := (771, 772)^* is a solution 
of p7|) and the desired property can be verified by right- multiplying by P~^ 
both solutions. 

The space of linear ranking functions for the permuted system is 



Sp = { {r]lPA',rilPb) e (Q"+i | (771,772) is a solution of O } 

= { {XlP^PA'.XlP^Pb) e (Q"+i I (Ai, A2) is a solution of (E?]) } 

= s, 



and thus it is unaltered with respect to the space of linear ranking functions S 
corresponding to the non-permuted system. 

Since the system (|41|) is obtained by applying a suitable permutation to ([36|) . 
a straightforward application of this lemma proves that the space of linear rank- 
ing functions obtained is the same in both cases. 

Moreover, as Aj A' = I'gAp and Aib — Vibs, we can express the space of 
linear ranking functions as 

S := { {vlA'c, Vibe) £ (Q"+^ | (7^1,^2, V3) is a solution of (02]) }. 

6. Comparison of the Two Methods 

In this section we compare the method by Mesnard and Serebrenik with 
the method by Podelski and Rybalchenko: we first prove that they have the 
same "inferential power" , then we compare their worst-case complexities, then 
we experimentally evaluate them on a representative set of benchmarks. 

6.1. Equivalence of the Two Methods 

We will now show that the method proposed in Q is equivalent to the one 
given in [44] on the class of simple linear loops, i.e., that if one of the two 
methods can prove termination of a given simple linear loop, then the other one 
can do the same. This is an expected result since both methods claim to be 
complete on the class of programs considered. 
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It is worth noting that a completeness result was already stated in [ISl 
Theorem 5.1] for the case of single predicate CLP(Q_|_) procedures, which can 
be seen to be a close variant of the binary, directly recursive CLP((Q)+) programs 
considered in Theorem 14.21 and Corollarv l4.3l Probably due to the programming 
paradigm mismatch, Podelski and Rybalchenko fail to recognize the actual 
strength and generality of the mentioned result, thereby claiming originality for 
their completeness result. 

Theorem 6.1. Let C he the binary CLP(Q) clause p{x) :— c[x, x'],p{x') , where 
p is an n-ary predicate and c[x,x'] is a linear satisfiable constraint. Let pr(C) 
and ins(C) be the spaces of linear ranking functions for C obtained through the 
method of Podelski and Rybalchenko and through the method of Mesnard and 
Serebrenik, respectively, that is, 

pr(C) { {X^A',Xlb) e (Q"+i | (Ai, A2) is a solution of ^ }, 



ins(C) := < fc/i £ 



{y,fJ') and {z,fi) are solutions of pOp. 

fc e Q+ \ {0} 



where c[x,x'\ is equivalent to (A A') {x,x') < b or to Ac{x,x') > be, respec- 
tively. Then pr(C) = fns(C). 

Proof. We will, as customary, prove the two inclusions pr(C) C ins(C) and 
pr(C) D ms(C). 

pr(C) C ins(C). Suppose that there exist two non- negative rational vectors 
Ai and A2 satisfying 1^, i.e., XJA' = {XJ - AJ)A = AJ(A + A') = and 
X2b < 0. We need to show that (Aj^'jAJb) £ ms{C), which is equivalent 
to proving that there exists a positive coefficient (that we can denote with ^ 
without loss of generality) ^ £ Q+ \ {0} such that {^XJA', ^XJb) £ ms(C), or, 
by Theorem 14.41 that {jXJA', ^XJb) £ Irf(C), which is in turn equivalent, by 
definition, to A2 A'a; - X^A'x' > k and XJb + X^A'x > 0. We have 

(A A') { ^, \ < b =^ Ax + A'x' < b 



X 



- Ax> A'x' - b 

- XlAx > XI A'x' - Xlb [by A2 > 0] 
XlA'x > XI A'x' - X^b [by (l37a ] 



and the former property is satisfied if we choose k = —X^b, which is nonnegative 
by relation (j37d[) . For the latter property, we have 

Ax + A'x' < b ==> XJAx + XJA'x' < XJb as XJ is non-negative 

=^ XlAx < Xlb [by (I57al) ] 

=^ X^Ax < XJb [by (l37bl) ] 

=^ - X'^A'x < Xlb [by (1373)1 ] 

and both properties are thus proved. 
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pr(C) 3 nis(C). In order to prove the inverse containment, we will need to 
recall the afhnc form of Farkas' Lemma (see 'io']). 

Lemma 6.2 (Affine form of Farkas' lemma). Let P be a nonempty poly- 
hedron defined by the inequalities Cx + d > 0. Then an affine function f{x) is 
non-negative everywhere in P if and only if it is a positive affine combination 
of the columns of Cx + d: f{x) = Aq + X^{Cx + d) with Aq > 0, A > 0. 

Let jx e fns(C). Then there exists /i £ Q+ \ {0} such that hfi G hf(C) 
describes a linear ranking function / for C. 

The inequalities (A A') (a;, x') < b define a polyhedron; according to the 
affine form of Farkas' lemma, a function is non-negative on this polyhedron, 
i.e., throughout the loop, if and only if it is a positive affine combination of the 
column vectors (A A') {x.x') < b. In particular this holds for the ranking 
function / and its two properties: f{x) > and f{x) — f{x') > 1. 

Hence there exist two non-negative rational vectors Ai and A2 and two non- 
negative numbers Ao,i and Ao,2 such that 

f{x)^Xo^i+Xj{-{A A'){x,x') + b) 

and 

fix) - fix') - 1 - Ao,2 + A^ (- (A A') (x, x') + b) . 

Replacing fix) by h^ix -\- h^o, we get two equalities — one for the part 
containing variables and one for the remaining part — for each expression. After 
simplification we obtain the following equalities: 

-A[ (A A') (a;, x') = h^x (44a) 
-A^ (A A') (x, x') = hfix - hfix' (44b) 
X^b = 1 + Ao,2 (44c) 

From (Pa|) and (pb]) we obtain A;^ A = -/i/x^, XJA' = 0, A|A = -hfj.'^ 
and A^A' = hfi'^. We can rewrite it as = A;^A' = (A;^ - A|)A = A|(A + A'). 
From (I44cp we deduce Ajb < 0. 

The four conditions ([57)1 to prove termination by 0] are thus satisfied. 

The combination of Theorems 14.41 and 16.11 gives: 

Theorem 6.3. LetC be the binary CLP (Q) clause pix) :— c[x,x'],p{x'), where 
p is an n-ary predicate and c[x, x'] is a linear satisfiable constraint. Let Irf (C) be 
the set of (positive multiples of) linear ranking functions for C , ins(C) be the set 
of (positive multiples of) solutions of the Mesnard and Serebrenik system (j30p 
projected onto /i a77.rf pr(C) be the set of the ranking function coefficients obtained 
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through the method of Podelski and Ryhalchenko, that is, 



Vx,x' e Q" : c[x,x'] =^ 

A A^o + Z)"=i > 0, 
keQ+\ {0} 

{UtH) and {z,p,) are solutions of (pO| . 1 

fc e Q+ \ {0} / 

pr(C) := { (AJA',A[6) e Q"+i | (Ai,A2) is a solution of 1^ }, 



Irf(C) <^ fc/i e 



ms(C) := < e 



where c[x,x'] is equivalent to [A A') {x,x') < b or to Ac{x,x') > be, respec- 
tively, r/ien Irf(C) = nis(C) =pr(C). 

6.2. Worst- Case Complexity Using the Simplex Algorithm 

The computationally most expensive component in both methods is the res- 
olution of a linear optimization problem that can always be expressed in the 
standard form 

minimize c^x 
subject to Ax = b 
x>0 

by applying well known transformations: inequalities and unconstrained (i.e., 
not subject to lower or upper bounds) variables can be replaced and the resulting 
equivalent problem in standard form has one more variable for each inequality 
or unconstrained variable appearing in the original problem. 

The most common way to solve this linear optimization problems involves 
using the simplex algorithm (45l |. an iterative algorithm that requires ('^^") 
pivoting steps in the worst-case scenario, where e and u denote the number of 
equalities in A and unknowns in x respectively. 

For a simple linear loop of m inequalities over n variables, Podelski and Ry- 
balchenko require to solve a linear problem in standard form having 3n equal- 
ities over 2m variables (the opposite of the expression appearing in (j37dp can 
be used as the quantity to be minimized); this gives a worst-case complexity of 
(^"arf™) pivoting steps, corresponding, by Stirling's formula, to an exponential 
complexity of exponent 3n -\- 2m approximately^ 

If the alternative formalization of the Podelski and Rybalchenko method 
is adopted for the same loop, then we will have the same m constraints as 
above for the invariant, while the '▼' invariant will be described by other i 
constraints. If redundant constraints are removed, we will have £ < m. Hence, 



20When a + 6 -i- oo, by Stirling's formula we have ("+'') < C2'^+''{a + b)-'^^^, where C is 
an absolute constant. This inequality is sharp. Notice however that if a, say, is known to be 
much smaller than b, a much stronger inequality can be given, namely ("+'') < {a b)'^ / a\ . 
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the alternative approach wih result in a linear programming problem having 2n 
equalities over m + 2£ variables. Hence, the worst-case number of pivoting steps 
will be an exponential of exponent approximately 2n + m + 2£. 

For the same simple linear loop, Serebrenik and Mesnard require the res- 
olution of two linear problems, that can be rewritten to contain 2n equalities 
over m -I- n variables (with n unconstrained variables) and 2n+l equalities over 
(to -|- 2) -|- (n -|- 1) variables (with n + 1 unconstrained variables), respectively. 
They can then be merged to generate a single linear problem of 4n -|- 1 equal- 
ities over TO + (to + 2) + (n -I- 1) variables, n -I- 1 of which unconstrained, and 
an extra inequality replacing one of the two objective functions. In the end, we 
get a linear problem in standard form with An -\- 2 equalities over 2to + 2n + 5 
variables. This means a worst-case complexity of {^^4^+2^'^) pivoting steps and 
an exponential complexity of exponent 6n -I- 2to approximately. 

So the method proposed by Podelski and Rybalchenko has, in general, a 
lower worst-case complexity than the one proposed by Mesnard and Serebrenik, 
if the single linear problem approach is chosen. The comparison of the two al- 
ternative implementation approaches for the Podelski and Rybalchenko method 
depends on the relations between quantities n, to and £. On the one hand, if £ 
is significantly smaller than to, then the alternative approach could result in an 
efficiency improvement. On the other hand, if the number of constraints is much 
higher than the number of variables, then the original implementation approach 
should be preferred. Note that the need for two loop invariants instead of a sin- 
gle one should not be seen as a big practical problem: in fact, most analysis 
frameworks will provide the 'T' invariant as the original input to the termina- 
tion analysis tool, which will then use it to compute the '"A'' invariant (via the 
abstract execution of a single iteration of the loop); that is, the computational 
cost for the '▼' invariant is implicitly paid anyway. 

It is well known, though, that the worst-case scenario for the simplex algo- 
rithm is extremely uncommon in practice. An average complexity analysis and, 
more recently, a smoothed complexity analysis [i^ have been carried out on the 
simplex algorithm and showed why it usually takes polynomial time. Besides 
the theoretical studies, several experimental evaluations of implementations of 
the simplex algorithm reported that the average number of pivoting steps seems 
to grow linearly with the sum e -I- it of the number of equalities and unknowns 
of the problem. Therefore, for a more informative and meaningful compari- 
son, the next section presents an experimental evaluation of the methods on a 
representative set of while loops. 



7. Implementation and Experimental Evaluation 



The Parma Polyhedra Library (PPL) is a free software, professional library 
for the handling of numeric approximations targeted at static analysis and 
computer-aided verification of hardware and software systems [l,!!^]. The PPL, 
which features several unique innovations S Ei, M, [51I [5^ , is employed by 
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numerous projects in this field, most notably by GCC, the GNU Compiler Col- 
lection, probably the most widely used suite of compilers 

As an integral part of the overall project to which the present paper belongs 
— whose aim is to make the technology of the automatic synthesis of linear rank- 
ing functions thoroughly explained and generally available — , we have extended 
the PPL with all the methods discussed in the present paper. Previously, only 
a rather limited demo version of RankFinder was available, only in x86/Linux 
binary format, implementing the method by Podelski and Rybalchenkol3 In 
contrast, the PPL implementation is completely general and available, both in 
source and binary formats, with high-level interfaces to C, C++, Java, OCaml 
and six different Prolog systems. 

For each of the methods — Mesnard and Serebrenik (MS) or Podelski and 
Rybalchenko (PR) — , for each of the two possibilities to encode the input — 
either the single ir invariant of ([5^ in Section or the two T and ir invari- 
ants of p3p in Section [S] — , for each numerical abstractions supported by the 
PPL — including (not necessarily closed) convex polyhedra, bounded-difference 
shapes and octagonal shapes — , the PPL provides three distinct functionalities 
to investigate termination of the loop being analyzed: 

1. a Boolean termination test; 

2. a Boolean termination test that, in addition, returns the coefficients of 
one (not further specified) affine ranking function; 

3. a function returning a convex polyhedron that encodes the space of all 
affine ranking functions. 

In addition, using the MS method and for each input method, the PPL provides 

4. a function returning two convex polyhedra that encode the space of all de- 
creasing functions (also known as quasi-ranking functions) and all bounded 
functions, respectively, for use in conditional termination analysis. 

We have evaluated the performance of the new algorithms implemented in 
the PPL using the termination analyzer built into Julia, a state-of-the-art ana- 



lyzer for Java bytecode [53|. We have thus taken several Java programs in the 
Julia test suite and, using Julia, we have extracted the constraint systems that 
characterize the loops in the program that Julia cannot quickly resolve with 
syntax-based heuristics. This extraction phase allowed us to measure the per- 
formance of the methods described in the present paper, factoring out the time 
spent by Julia in all the analyses (nullness, sharing, path-length, unfolding, . . . ) 
that allow to obtain such constraint systems. 

We first tested the performance (and correctness) of the new PPL implemen- 
tation with the implementation of the MS method, based on CLP(Q), previously 
used by Julia and with the implementation of PR, still based on CLP(Q), pro- 
vided by the demo version of RankFinder. The reason we did this comparison 



See "http : //bugseng . com/produ cts/ppl|for more information. 
•^^See |http : //www7 ■ in. turn. de/-rybal/rankf inder/[ last checked on August 18th, 2011. 
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Table 1: Benchmarks used in the experimental evaluation 



benchmark 


loops 


n 


n 




TO 


m 


CTm 


Gaffe ineMark 


151 


[1,9] 


6.0 


1.3 


[2,26] 


17. 


3.8 


JLex 


467 


[1,14] 


7.2 


2.5 


[2,45] 


17. 


6.7 


JavaCC 


136 


[1,14] 


8.6 


4.1 


[1,45] 


22. 


12. 


Java_CUP 


29 


[2,14] 


8.3 


4.3 


[5,45] 


23. 


13. 


Jess 


151 


[1,9] 


6.0 


1.3 


[2,26] 


17. 


3.8 


Kitten 


1484 


[1,15] 


11. 


3.6 


[2,45] 


29. 


10. 


NQueens 


359 


[1,14] 


6.3 


3.6 


[2,45] 


17. 


10. 


Raytracer 


8 


[2,9] 


4.5 


2.7 


[5,26] 


11. 


7.8 


Termination 


121 


[1,9] 


4.2 


3.5 


[2,27] 


12. 


9.9 



is that, while we know that the infinite precision implementation of the simplex 
algorithm available in the PPL performs better than its direct competitors [1, 
Section 4, Table 3] 13 we know there is much room for improvement: it could 
have been the case that the constraint solver employed in modern CLP systems 
made our implementation useless. The result was quite satisfactory: the PPL 
implementation is one to two orders of magnitude faster over the considered 
benchmark suite. 

The benchmark programs are: Caf f eineMark, from Pendragon Software 
Corporation, measures the speed of Java; JLex is a lexical analyzer generator 
developed by Elliot Berk and C. Scott Ananian; JavaCC is a parser generator 
from Sun Microsystems; Java_CUP is a parser generator developed by Scott 
Hudson, Frank Flanncry and C. Scott Ananian; Jess is a rule engine written 
by Ernest Friedman-Hill; Kitten is a didactic compiler for a simple impera- 
tive object-oriented language written by Fausto Spoto; NQueens is a solver of 
the n-queens problem which includes a library for binary decision diagrams; 
Raytracer is a ray-tracing program; Termination is a JAR file containing all 
the programs of |53l . Figure 16]. In Table [1] we report, for each benchmark, the 
number of loops for which termination was investigated, the interval, mean and 
standard deviations — with two significant figures — of the quantities n (number 
of variables) and m (number of constraints) that characterize those loops. 

The results of the CPU-time comparison between the MS and PR methods 
are reported in Table [H Measurements took place on a GNU/Linux system 
equipped with an Intel Core 2 Quad CPU Q9400 at 2.66 GHz and 8 Gbytes of 
main memory; a single core was used and the maximum resident set size over 
the entire set of tests was slightly above 53 Mbytes. From these we can conclude 
that the difference in performance between the two methods is rather limited. 



^''l.e., Casso wary |[http: //www, cs .Washington, edu/research/constralnts/cassowary/ \ 

and Wallaroo (http://sourceforge.n6t/projects/wallaroo/). While GLPK, the GNU Lin- 
ear Programming Toolkit (http://www.gnu.org/software/glpk/) includes a solver that is 
termed "exact," it still depends critically on floating point computations; moreover, it has not 
yet been made available in the public interface. 
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Table 2: MS vs PR: CPU time in seconds 





term. 


test 


one r. f. 


all r. 


f. 


benchmark 


MS 


PR 


MS 


PR 


MS 


PR 


Gaffe ineMark 


0.42 


0.26 


0.43 


0.25 


0.31 


0.34 


JLex 


1.62 


0.83 


1.64 


0.84 


1.17 


1.14 


JavaCC 


0.86 


0.43 


0.87 


0.45 


0.67 


0.65 


Java_CUP 


0.35 


0.14 


0.35 


0.14 


0.29 


0.22 


Jess 


0.42 


0.26 


0.43 


0.26 


0.29 


0.34 


Kitten 


11.8 


6.87 


11.9 


6.84 


8.41 


10.2 


NQueens 


1.43 


0.76 


1.44 


0.74 


0.99 


1.03 


Raytracer 


0.04 


0.03 


0.04 


0.03 


0.03 


0.03 


Termination 


0.25 


0.15 


0.25 


0.15 


0.18 


0.21 



Table 3: Precision results and application to conditional termination 



benchmark 


loops 


term 


w/ d.f. 


w/o d.f. 


Gaffe ineMark 


151 


149 





2 


JLex 


467 


453 


3 


11 


JavaGG 


136 


120 


4 


12 


Java_GUP 


29 


27 





2 


Jess 


151 


149 





2 


Kitten 


1484 


1454 


3 


27 


NQueens 


359 


271 


4 


84 


Raytracer 


8 


6 





2 


Termination 


121 


119 





2 



The PR method is more efficient on the problem of semi-deciding termination, 
with or without the computation of a witness ranking function, while the MS 
method is superior on the problem of computing the space of all afhne ranking 
functions. 

We also present, in Table [3l the precision results. For each benchmark, 
along with the total number of loops, we have the number of loops for which 
termination is decided positively, either with the MS or the PR method (column 
'term'); the remaining loops are divided, using the MS method, between those 
that admit a linear decreasing function (column 'w/ d.f.') and those who do 
not (column 'w/o d.f.'). It can be seen that the percentage of loops for which 
termination is decided positively ranges from 75% to 99%, depending on the 
benchmark. This means that we are conducting the experimental evaluation 
with a termination analyzer, Julia, whose analysis algorithms — though certainly 
improvable — very often provide enough information for termination analysis. 
This is crucial for the meaningfulness of the experimental evaluation presented 
in this section. 
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8. Conclusions 

Linear ranking functions play a crucial role in termination analysis, as the 
termination of many programs can be decided by the existence on one such 
function. In this paper we have addressed the topic of the automatic synthesis 
of linear ranking functions with the aim of clarifying its origins, thoroughly 
explaining the underlying theory, and presenting new, efficient implementations 
that are being made available to the general public. 

In particular, we have introduced, in general terms independent from any 
programming paradigm, the problem of automatic termination analysis of indi- 
vidual loops — to which more general control flows can be reconducted — and 
its solution technique based on the synthesis of ranking functions. 

We have then presented and generalized a technique originally due to Sohn 
and Van Gelder, that was virtually unknown outside the logic programming field 
despite its general applicability and its relative completeness (given a linear 
constraint system approximating the behavior of a loop, if a linear ranking 
function exists for that system, then the method will find it). This method, due 
to its ability to characterize the spaces of all the linear decreasing functions and 
all the linear bounded functions, is also immediately applicable to conditional 
termination analysis; this theme is an excellent candidate for future work. 

We have also presented and, for the first time, fully justified, a more recent 
technique by Podelski and Rybalchenko. For this we also present an alternative 
formulation that can lead to efficiency improvements. 

We have compared the two methods, first proving their equivalence — 
thus obtaining an independent confirmation on their correctness and relative 
completeness — and then studying their worst-case complexity. 

Finally, we have presented the implementation of all the techniques described 
in the paper recently included in the Parma Polyhedra Library, along with an 
experimental evaluation covering both the efficiency and the precision of the 
analysis. 
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